According to tests performed by the ReVuln researchers, Internet Explorer 9, Google Chrome and Opera display warnings and the full or partial steam:// URLs before passing them to the Steam client for execution. Firefox also requests user confirmation, but doesn't display the URL and provides no warning, while Safari automatically executes steam:// URLs without user confirmation, the researchers said....In order to protect themselves users can disable the steam:// URL protocol handler manually or with a specialized application, or can use a browser that doesn't automatically execute steam:// URLs

I think that regardless of if the link comes from a javascript or not, at some point the browser gets to the part where its going to pass the URL on, and if its set to prompt it should prompt at that stage.